Who knew such sage security advice could come from the 1999 sci-fi comedy “Galaxy Quest?” Tim Allen, the captain of a ragtag alien-vanquishing team utters his signature quip multiple times throughout the film: “Never give up, never surrender.” It is only at the end of the battle that he truly believes in the power of rallying cry. Bolstered by Allen’s confidence in the face of adversity, Sigourney Weaver, Alan Rickman and company beat the extraterrestrial enemies and save the world.
“Never give up, never surrender” is an excellent motto to drive today’s cybersecurity teams. Security teams face challenges every day as they defend their data against outside threats. These teams are generally small, and globally there is a staffing shortage of more than 3 million cybersecurity experts.1 In addition to a can-do attitude in the face of adversity, a Zero Trust architecture is key in the fight against cybercriminals.
Data and its predators
Data is secured through five control points: access/identity, endpoints, workloads, networks and cloud, both private and public native clouds. Securing these five control points is not easy. Malware can stay hidden in a network for weeks or even months, stealing information, understanding behaviors and expanding its capabilities to defeat defenses. Believe it or not, on average, it takes companies with a remote workforce of 50% or more 316 days to fully recover from a breach. Also, the average cost of a data breach is roughly USD $4.24 million, an increase of 10% year over year, according to IBM.
It is crucial to have a security team that responds swiftly to security threats. Speed and attention could be the difference between detecting and remediating a breach in a couple of hours versus a couple of days. This difference equates to a simple laptop reimaging or millions in lost revenue! Knowing this, security teams need to adopt the “Never give up, never surrender” mantra with a supporting Zero Trust architecture.
What is Zero Trust?
Zero Trust is a security model that does not automatically trust entities in the security perimeter. NIST states, “Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero-trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows.” The new paradigm is never trust, always verify and enforce last privilege.
VMware segments Zero Trust into five pillars: device trust, user trust, transport/session trust, application trust and data trust. Each pillar is linked to one or more of the control points (access/identity, endpoint, workload, network and cloud). Ultimately, to adopt a Zero Trust architecture, you must establish trust for each control point.
It may seem overwhelming when you’re first establishing a Zero Trust architecture for your environment. Following a structured and proven methodology is key to set you up for success. Consider an outcome-focused approach, which identifies current capabilities and drives you forward based on your desired outcomes. This approach uses collaborative workshops and creates an IT roadmap based on VMware best practices and industry standards. Many times, security teams decide to start securing their data inside their workload and network first, using a Zero Trust architecture.
Zero Trust for your workload and network
Using a Zero Trust architecture to secure your data and stay active against threats requires a unique combination of software and automation.
Cyberthreats attack from the outside. Network segmentation is a network security technique that divides a network into smaller, distinct subnetworks and enables security teams to control each subnetwork’s security policies. This prevents cyberattacks from penetrating deeper in the network and compromising your data.
In addition to adding network segmentation to your workload and network, it is important to have a VMware NSX Service-defined Firewall. This is a distributed, scale-out internal firewall that protects all east-west traffic with security that is intrinsic to the infrastructure; therefore, simplifying the security deployment model radically. It includes a stateful L4-L7 firewall, an intrusion detection/prevention system (IDS/IPS), network sandbox and behavior-based network traffic analysis. With the NSX Service-defined Firewall, security teams can protect the data center traffic across virtual, physical, containerized and cloud workloads from internal threats and avoid damage from threats that make it past the network perimeter.
The distributed internal firewalls borrow distributed enforcement from network segmentation solutions to manage east-west traffic scale and granularity requirements. Simultaneously, they retain the enterprise edge firewall’s ability to create and enforce security policies based on users and applications and include threat controls such as IDS/IPS, NTA/NDR and sandboxing.
An additional key component of the NSX Service-defined Firewall is the network sandbox. It is important to use full system emulation to analyze programs to see all the instructions that a process executes. A traditional sandbox can only observe interactions between a program and the underlying operating system. Visibility is an important aspect in moving toward a Zero Trust architecture.
Using automation as another coworker
Attacks are coming, intrusions will happen, and all the defenses in the world cannot help you fight them if your crew is short-staffed. Automating your software to be another person on the ground is crucial for security teams to succeed.
The final element in moving toward a Zero Trust architecture is network traffic analysis (NTA) and distributed and behavioral-based IDS/IPS. These elements provide the automation, network visibility, detection and prevention of advanced threats that security teams need to stay on top of cyberattacks.
NTA identifies unwanted network behaviors, allowing security experts to detect threat actors attempting to break into a network, move laterally and exfiltrate stolen information.
VMware NSX Distributed IDS/IPS scans network traffic for signs of attacks by leveraging signatures that are matched against packet payloads. IDS systems have two key features. First, IDS is distributed and runs on each host. Secondly, VMware has rich context about the workloads that run on each of these hosts, allowing us to precisely tailor signature sets that are deployed and only loading relevant signatures to the workloads on the host that IDS protects. Using a small and tailored subset of signatures for each host allows for a radically reduced number of false positives. It also better streamlines your SOC’s operations. This allows for a smaller chance of accidental signature matches, reducing the chance of creating false positives.
These components produce alerts, and network detection and response (NDR) aggregates alerts across multiple assets providing a security analyst with a high-level view of all ongoing intrusions.
“Never give up, never surrender”
Securing your data and adopting a Zero Trust architecture is not for the faint of heart. It’s a never-ending battle against cybercriminals. Security teams need the right software, combined with the right automation and scalability to defend their environment and be victorious.
VMware Network Security services are here to help. Visit VMware Virtual Cloud Network to learn more about our services.
1https://www.isc2.org/-/media/ISC2/Research/2020/Workforce-Study/ISC2ResearchDrivenWhitepaperFINAL.ashx?la=en&hash=2879EE167ACBA7100C330429C7EBC623BAF4E07B